Resistance of SNOW-V against Fast Correlation Attacks

. SNOW-V is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. In this paper, we study the resistance of SNOW-V against bitwise fast correlation attacks by constructing bitwise linear approximations. First, we propose and summarize some eﬃcient algorithms using the slice-like techniques to compute the bitwise linear approximations of certain types of composition functions composed of basic operations like (cid:1) , ⊕ , Permutation , and S-box , which have been widely used in word-oriented stream ciphers such as SNOW-like ciphers. Then, using these algorithms, we ﬁnd a number of stronger linear approximations for the FSM of the two variants of SNOW-V given in the design document, i.e., SNOW-V σ 0 and SNOW-V (cid:1) 8 , (cid:1) 8 . For SNOW-V σ 0 , where there is no byte-wise permutation, we ﬁnd some bitwise linear approximations of the FSM with the SEI (Squared Euclidean Imbalance) around 2 − 37 . 34 and mount a bitwise fast correlation attack with the time complexity 2 251 . 93 and memory complexity 2 244 , given 2 103 . 83 keystream outputs, which improves greatly the results in the design document. For SNOW-V (cid:1) 8 , (cid:1) 8 , where both of the two 32-bit adders in the FSM are replaced by 8-bit adders, we ﬁnd our best bitwise linear approximations of the FSM with the SEI 2 − 174 . 14 , while the best byte-wise linear approximation in the design document of SNOW-V has the SEI 2 − 214 . 80 . Finally, we study the security of a closer variant of SNOW-V, denoted by SNOW-V (cid:1) 32 , (cid:1) 8 , where only the 32-bit adder used for updating the ﬁrst register is replaced by the 8-bit adder, while everything else remains identical. For SNOW-V (cid:1) 32 , (cid:1) 8 , we derive many mask tuples yielding the bitwise linear approximations of the FSM with the SEI larger than 2 − 184 . Using these linear approximations, we mount a fast correlation attack with the time complexity 2 377 . 01 and a memory complexity 2 363 , given 2 253 . 73 keystream outputs. Note that neither of our attack threatens the security of SNOW-V. We hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.


Background
SNOW-V [8] is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system.It is designed by revising the SNOW 3G architecture and has kept the general design from SNOW 3G.SNOW 3G [9] is one member of the SNOW family with two predecessors SNOW 1.0 [7] and SNOW 2.0 [6].SNOW 1.0 was submitted to NESSIE project by Ekdahl and Johansson in 2000, and SNOW 2.0 is an improved version which was published in 2002 and selected as an ISO standard in 2005.Both SNOW 1.0 and SNOW 2.0 consist of two main components: a Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM), based on operations on 32-bit words, with high efficiency in both software and hardware environment.SNOW 3G was designed in 2006 by ETSI/SAGE, different from SNOW 2.0 by introducing a third 32-bit register to the FSM and a corresponding 32-bit nonlinear transformation for updating this register.SNOW 3G serves as the core of 3GPP Confidentiality and Integrity Algorithms UEA 2 & UIA2 for UMTS and LTE networks.It is currently in use in 3-4G mobile telephony systems, while SNOW-V aims to adapt SNOW 3G for 5G.
SNOW-V has kept most of the design from SNOW 3G in terms of the LFSR and the FSM, but both components are updated to better align with vectorized implementations.The LFSR part is now a circular construction consisting of two LFSRs, each feeding into the other, and the size of each register in the FSM part has been increased from 32 bits to 128 bits.At each clock, SNOW-V generates a 128-bit keystream.The original version of SNOW-V appeared on the IACR ePrint on November 29, 2018, and later a stronger version was posted, where a byte-wise permutation σ was added in the updating function of the first register R1 of the FSM.
Linear approximation attacks, including distinguishing attacks and correlation attacks, have been widely used to analyze SNOW ciphers.The basic technique is to approximate the nonlinear operations in the cipher and then derive a linear approximation relation involving the keystream symbols.If the linear approximation involves also symbols from the LFSR states, a correlation attack can be mounted by utilizing some correlation between the keystream and the LFSR states.We give the references [4, 5] for the basic foundations of correlation attacks.

Related Work
The resistance of SNOW 2.0 against distinguishing attacks and correlation attacks has been widely studied.In these attacks, the first step is to approximate the FSM part through the linear masking method as proposed in [3], and then to cancel out the contributions of the registers by combining the expressions for several keystream words at different time instances.In [20] and [19], distinguishing attacks were given with the complexities 2 225 and 2 174 respectively.At Asiacrypt 2008, a correlation attack [15] was proposed with the complexity 2 212.38 by building the bitwise linear approximations for the FSM.Note that all the attacks in [20, 19, 15] were based on the bitwise linear approximations.At CRYPTO 2015, Zhang et al. [23] introduced the terminology "large-unit" linear approximations, and mounted a fast correlation attack on SNOW 2.0 by building the byte-wise (8-bit) linear approximations, giving the significantly reduced complexities all below 2 164. 15.In this process, they derived two types of byte-wise linear approximations, and accordingly provided two algorithms to compute the bias using the Squared Euclidean Imbalance (SEI) as defined in [1] with the complexities 2 33.58 and 2 26.58 respectively for each given byte-wise mask tuple.Later in [10], the correlation attack on SNOW 2.0 was improved slightly with the complexity 2 162.91 .Recently, [11] investigated the bitwise linear approximation of a certain type of composition function present in SNOW 2.0 and proposed a linear-time algorithm to compute the correlation for an arbitrary given linear mask.Based on this algorithm, they carried out a wider range of search for bitwise masks and found some strong linear approximations which enable them to slightly improve the data complexity of the previous fast correlation attacks by using multiple bitwise linear approximations.
For SNOW 3G, the bitwise linear approximations over three rounds of the FSM were depicted in [19], but only rough estimates of the upper bounds of their correlations were given.In [11], a fast correlation attack was given by constructing the bitwise linear approximations whose correlations were accurately computed.In [22], inspired by the results of [23] where the large-unit approach was used to achieve improvements over the previous attacks on SNOW 2.0, Yang et al. constructed the three-round byte-wise linear approximations for the FSM of SNOW 3G and performed the searches for finding actual byte-wise masks that gave high SEI values for the approximations.The byte-wise linear approximations found in [22] were also applied to launch a fast correlation attack against SNOW 3G.
For SNOW-V, there is no prior cryptanalysis of SNOW-V beyond its design document [8], except for a result published in December 2020 [12] where a byte-based guess and determine attack was proposed with complexity 2 406 .In [8], the designers presented their best results of the linear approximation attacks on several close variants of SNOW-V, including the original version of SNOW-V denoted by SNOW-V σ0 , where the permutation is assumed to be just the identity σ 0 , and also SNOW-V 8 , 8 , where both of the two 32-bit adders " 32 " in the updating function of the FSM are replaced by the 8-bit ones " 8 " while everything else remains identical.In all these analyses, they utilized "large-unit" linear approximations.For SNOW-V σ0 , they constructed the byte-wise linear approximations and computed the bias using the SEI, giving their best result with the SEI 2 −58. 7.With this byte-wise linear approximation, they also mounted a fast correlation attack following the method in [23] with the time complexity of about 2 232 , requiring a keystream of length 2 203 .In the course of computing the SEI for any given byte-wise mask, the convolution algorithms were used to compute large distributions which were computationally demanding.Beside, they also searched for the byte-wise linear approximations for the FSM of SNOW-V 8, 8 .In their best attempt, they got the total noise having the SEI 2 −214.80 .To the best of our knowledge, there have been no significant research on SNOW-V in published literature until now.

Our Contributions
In this paper, we investigate the bitwise linear approximations for the FSM of SNOW-V through linear masking, and present fast correlation attacks on several close variants.
First, we summarize five types of sub-functions composed of basic operations like , ⊕, Permutation, and S-box, which have been widely used in word-oriented stream ciphers such as SNOW-like stream ciphers, and propose some linear-time algorithms to compute the correlation of the bitwise linear approximation for an arbitrary given linear mask tuple.For Type-I to Type-III, we utilize linear-time algorithms from [11, 19], and for Type-IV and Type-V, we propose new linear-time algorithms for efficiently computing the bitwise linear approximations by extending the techniques in [11, 19].All these algorithms use a technique we call "slice-like" to efficiently compute the correlations.The general idea of the "slice-like" technique is to divide the n-bit values into d m-bit values (n = md) according to the specific structure of the underlying function (m-bit S-box, for example), and then pre-compute and store some specific matrices independent of the given linear mask, and finally compute the correlation for any given mask in linear-time using these pre-computed matrices.The novelty is the construction of specific matrices which can be efficiently pre-computed.Using the slice-like techniques, the computations of bitwise linear approximations cost only linear-time complexities by doing some matrix multiplications, while the convolution algorithms on large distribution in [8] need much more computations.Based on these algorithms, we are able to search for the bitwise linear masks in a much larger range than the designers do for the byte-wise masks [8].
Then we apply these algorithms for the cryptanalysis of SNOW-V against linear approximation attacks.Our attacks target three variants of SNOW-V, two were introduced by SNOW-V designers in [8], while the third one is new.
• For SNOW-V σ0 , we find a number of bitwise linear approximations which have significantly larger SEI values than that of the best byte-wise linear approximation found in [8], and present a fast correlation attack by using these new-found bitwise linear approximations.This attack costs a time complexity of 2 251.93 and a memory complexity of 2 244 , less than the exhaustive key search, and requires a keystream of length around 2 103.83 , which improves greatly the result in [8] which is 2 203 .
• For SNOW-V 8 , 8 , we give a brief study on the bitwise linear approximation of the FSM.In our attempt to approximate the FSM, we have found our best bitwise linear approximation with the SEI 2 −174.14 , while the SEI of the best byte-wise linear approximation found in [8] is 2 −214.80 .
• For SNOW-V 32, 8 , a new and closer variant which has the byte-wise permutation σ but only the 32-bit adder used for updating the first register is replaced by the 8-bit adder, we derive many bitwise mask tuples yielding the bitwise linear approximations with the SEI larger than 2 −184 .Using these linear approximations, we mount a fast correlation attack with the time complexity 2 377.01 and a memory complexity 2 363 , given 2 253.73 keystream outputs.
Note that neither of our attacks threatens the security of SNOW-V.But we hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.

Paper Organization
Some basic notations and definitions are presented in Section 2 together with a brief description of SNOW-V.In Section 3, we propose and summarize some algorithms to efficiently compute the bitwise linear approximations of certain types of composition functions.In Section 4 and Section 5, we apply these algorithms to the bitwise linear approximations of the FSM of SNOW-V σ0 and SNOW-V 32 , 8 , respectively.A brief study on the bitwise linear approximation of the FSM of SNOW-V 8, 8 is given in Section 6.
Finally, some conclusions are provided with the future work pointed out in Section 7.

Notations and Definitions
The following notations and definitions are used throughout this paper.
• The bitwise exclusive-OR is denoted by "⊕" and the addition modulo 2 m by " m ".
• The binary field is denoted by F 2 and its m-dimensional extension field is denoted by F 2 m .Besides, we denote by F * 2 m the multiplicative group of nonzero elements of • Let n, m be two positive integers such that m divides n and d = n m .For x ∈ F 2 n , it can be written as x = (x 0 ... x d−1 ), where x i ∈ F 2 m for 0 ≤ i ≤ d − 1, and x 0 is the least significant part.
• For a set S, the number of elements in S is denoted by |S|.
• Let X be a binary random variable, the correlation between X and zero is defined as (X) = Pr{X = 0} − Pr{X = 1}.
• An n-variable Boolean function f (x) is a mapping from F 2 n to F 2 , i.e., f : • The correlation of a Boolean function f : F 2 n → F 2 to zero is defined as where X is a uniformly distributed random variable in F 2 n .Note that "correlation" is often used to evaluate the efficiency of bitwise linear approximations in a linear approximation attack, where the data complexity is proportional to 1/ 2 (f ).
, where f i s are n-variable Boolean functions.F is also called an m-dimensional vectorial Boolean function.
• For an (n, m)-function F , the probability distribution for all a ∈ F 2 m .
• The Squared Euclidean Imbalance (SEI) of a distribution D F is defined as which measures the distance between the target distribution and the uniform distribution.Especially for m = 1, ∆(D F ) is closely related to the correlation of F by ∆(D F ) = 2 (F ).Note that the "SEI" of a distribution D F over a general alphabet is used to evaluate the efficiency of large-unit linear approximations in a linear approximation attack, where the data complexity is proportional to 1/∆(D F ).
• The correlation of an (n, m)-function F : F 2 n → F 2 m with a linear output mask Γ ∈ F 2 m and a linear input mask Λ ∈ F 2 n is defined as where X is a uniformly distributed random variable in F 2 n .

Description of SNOW-V
SNOW-V is a new proposed member in the SNOW family of stream ciphers.It has kept the general design from SNOW 3G in terms of the LFSR and the FSM, but both components are updated to better align with vectorized implementations, and also the size of the FSM has been increased from 32 bits to 128 bits.The overall schematic of SNOW-V algorithm is shown in Fig. 1.For more details on the design of SNOW-V, we refer to the original design document [8].
The LFSR part consists of two LFSRs, namely LFSR-A and LFSR-B, both of 16 cells of length 16, giving 512 bits in total.Denote the states of the LFSRs at time t as (a t+15 , a t+14 , ..., a t ) and (b t+15 , b t+14 , ..., b t ) respectively for LFSR-A and LFSR-B, where a t+i and b t+i represent elements in F 2 16 defined by different generating polynomials.The elements a t+i of LFSR-A are generated by the polynomial and the elements b t+i of LFSR-B are generated by  Let α be a root of g A (x) and β be a root of g B (x).The LFSR-A sequence and LFSR-B sequence are given by the expressions a t+16 = b t ⊕ αa t ⊕ a t+1 ⊕ α −1 a t+8 , and b t+16 = a t ⊕ βb t ⊕ b t+3 ⊕ β −1 b t+8 respectively, where "⊕" denotes the bitwise XOR of 16-bit blocks.
The FSM of SNOW-V has three 128-bit registers, R1, R2 and R3.Let T 1 t be a 128-bit word from the LFSR-B such that and T 2 t be a 128-bit word from the LFSR-A such that T 2 t = (a 8t+7 , a 8t+6 , ..., a 8t ).
Let " 32 " denote a parallel application of four additions modulo 2 32 over each sub-word, and "⊕" denote the bitwise XOR operation of 128-bit blocks.The FSM takes the two blocks T 1 t and T 2 t as inputs, produces a 128-bit keystream z t = (T 1 t 32 R1 t ) ⊕ R2 t as output, and updates the registers R1, R2 and R3 according to where σ is a byte-wise permutation given by σ = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15], and AES R (•) denotes a full AES encryption round function with the round key constant being zero, as shown in Fig. 2. Let r be a 128-bit input to AES R (•), then r is mapped to the state array of the AES round function in the following way: (r 0 r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 8 r 9 r 10 r 11 r 12 r 13 r 14 r 15 ) ⇐⇒     r 0 r 4 r 8 r 12 r 1 r 5 r 9 r 13 r 2 r 6 r 10 r 14 r 3 r 7 r 11 r 15 and the output can be written as MixColumns(ShiftRows(SubBytes(r))).

Computing the Bitwise Linear Approximations of Certain Types of Functions
In this section, we summarize some algorithms to efficiently compute the linear approximations of certain types of composition functions composed of basic operations like , ⊕, Permutation, and S-box, by using the slice-like techniques.These functions have been widely used in word-oriented stream ciphers such as SOSEMANUK [2] and SNOW-like ciphers.

Function Types
(1) Type-I function.We define the (n, n)-function Sbox : F 2 n → F 2 n as the Type-I function, which is constructed by several parallel small-scale s-boxes s j such that where x = (x 0 x 1 ... x d−1 ) with x j ∈ F 2 m and d = n m , and s j are all (m, m)functions, j = 0, 1, ..., d − 1.

Problem 1.
Compute the correlation of the bitwise linear approximation of the Type-I function Sbox(•) with respect to the output mask Γ (0) and the input mask Γ (1) , which is denoted by Cor 1 (Γ (0) ; Γ (1) ).Method and Complexity.The computation of the bitwise linear approximation of the Type-I function is usually carried out according to the preprocessing phase and processing phase.After the preprocessing phase, the processing phase will cost a linear-time complexity.The detailed process is described in Appendix A.

Method and Complexity.
In [19], the authors have proposed a linear-time algorithm to compute the correlation of the bitwise linear approximation of F for any given mask tuple, we describe it in Appendix B.
(3) Type-III function.We define the following function G : F 2 n × F 2 n → F 2 n as the Type-III function: G(x (1) , x (2) ) = x (1) n Sbox(x (2) ), where Sbox(•) is the Type-I function defined above.We emphasize the importance of this type of function, since they are at the core of SNOW ciphers like SNOW 2.0, SNOW 3G and also SNOW-V, as later shown in Section 4.

Method and Complexity.
In [11], a linear-time algorithm is proposed to compute the correlation of the bitwise linear approximation of G under any given mask tuple, and then used to mount attacks on SNOW 2.0 and SNOW 3G.At a very high level, the idea is to divide the n-bit values into d values of m-bit according to the specific structure of the function Sbox(•), and then pre-compute and store some useful matrices, and finally compute the correlation by doing some matrix multiplications using these pre-computed matrices.The details are given in Appendix C.
(4) Type-IV function.Let n, m be two positive integers such that m divides n and d = n m .For each variable x ∈ F 2 n , we can split it into d blocks and each block has m bits, i.e., x = (x 0 x 1 ... x d−1 ) with x j ∈ F 2 m for j = 0, 1, ..., d − 1.Let p be a permutation of 0 to d − 1 and define p(x) = (x p(0) x p(1) ... x p(d−1) ) for x ∈ F 2 n .Based on this, we define the function H : F 2 n × F 2 n × F 2 n → F 2 n as the Type-IV function such that H(x (1) , x (2) , x (3) ) = x (1) n p(x (2) m x (3) ), which is composed of the addition modulo 2 n (" n ") , the addition modulo 2 m (" m ") and the permutation p.
(5) Type-V function.Let l, n, m be three positive integers such that m divides n and n divides l, with d = n m and d = l n .For each variable X ∈ F 2 l , we can split it into d blocks and each block has n bits, i.e., X = (X 0 X 1 ... X d −1 ) with X k ∈ F 2 n for k = 0, 1, ..., d − 1, and for each X k ∈ F 2 n , it can be split into d blocks and each block has m bits, i.e., X k = (x kd x kd+1 ... x kd+(d−1) ) with x kd+j ∈ F 2 m for j = 0, 1, ..., d − 1.Let P be a permutation of 0 to d d − 1 such that P (X) =(x P (0) ... x P (d−1) ... x P (kd) ... x P (kd+(d−1)) ...

Method and Complexity.
As later shown in Section 5, this type of function plays an important role in analyzing the strength of SNOW-V against linear approximation attacks.We will show how to compute the correlation of the bitwise linear approximation in Section 3.3.

Method and Complexity.
Due to the definition of the permutation p, we have which belongs to the Type-I function with s j ( p(j) for j = 0, 1, ..., d − 1.Thus H is actually in the Type-III category, and can be solved using the method in [11]  (Theorem 3 in Appendix C).We describe the process as follows.
For a given partial mask tuple V = (γ (0) , γ (1) , γ (2) , γ (3) ) with γ (i) ∈ F 2 m , we define a general expression for all the h j as follows: • y ⊕ γ (3) • z, where x, y, z ∈ F 2 m and iθ ∈ {0, 1}.Thus we have for iθ ∈ {0, 1} and α ∈ {0, 1}.Based on this, we say that the row vector l 2 , the column vector e 0 and the matrices C V for all 2 4m possibilities of V form a linear representation of the correlation of all the bitwise linear approximations of the Type-IV function H. Now the task remains to compute these matrices.
For any given partial mask tuple V = (γ (0) , γ (1) , γ (2) , γ (3) ), the straightforward approach to compute the matrix C V by ( 7) needs a time complexity of O(2 3m+1 ).If our goal is to find all those mask tuples (Γ (0) , Γ (1) , Γ (2) , Γ (3) ) such that the linear approximations of H would be highly biased, we seem to need to pre-compute the matrices C V for all 2 4m possibilities of V, and thus the time complexity would be O(2 7m+1 ), which is impractical for the most common value m = 8.Fortunately, this can be efficiently solved by adapting the idea of Theorem 2 in Appendix B to our case to compute the matrices C V for all the possible values of V.
In the following, we will derive a linear representation for the matrices C V by adapting the bit-slicing technique of Theorem 2.

A Linear Representation for the Matrices C V
Write x, y, z and also γ (i) in bits as and m−1 ) for i = 0, 1, 2, 3, we have derived the following expressions for (r, oθ) of the general expression h: and oθ(iθ, •) = cr 1 m , where cr 0 j , cr 1 j ∈ {0, 1} are local carries introduced by two additions modulo 2 m such that Through the above analysis, we describe in the following theorem a linear-time algorithm to compute the matrix C V for each given V.

Algorithm 2 Construction of the matrices c v for all v
1: Prepare two 4 × 4 matrices N 0 and N 1 ; 2: for v = (v (0) , v (1) , v (2) , v (3) ) ∈ F 4 2 do 3: Create a matrix c v of size 4 × 4; 4: Initialize N 0 and N 1 with zeros; 5: compute oc 0 = (y + z + ic 0 )/2 ; 8: compute Remark.From Algorithm 2, all the matrices c v can be constructed with a total time complexity of about 2 4 × 2 5 = 2 9 and a total memory complexity of 2 4 × (4 × 4) = 2 8 .For a fixed V, the matrix C V can be computed according to Theorem 1 by doing m matrix multiplications of small size, by utilizing the matrices c vj and the constant matrices L and E, which needs only a linear-time complexity of O(m), whereas the straightforward method by Eq. ( 7) would require a complexity of O(2 3m+1 ).Now we summarize the general process for computing the correlation of the bitwise linear approximation of H for any given mask tuple (Γ (0) , Γ (1) , Γ (2) , Γ (3) ) in the following two phases: • In the preprocessing phase, we pre-compute the matrices C V for all (at most) 2 4m possible values of V according to Theorem 1, which requires a total time complexity of O(m2 4m ) and a total memory complexity of O(2 4m ) for all V.

Analysis of SNOW-V When Assuming σ to Be Identity
We consider a general approach to analyze SNOW-V against linear approximation attacks.
That is, we try to approximate the FSM part through linear masking and then to cancel out the contributions of the registers R1, R2 and R3 by combining expressions for several keystream outputs.In this section, we assume σ to be identity (denoted by σ 0 ), i.e., there is no byte-wise permutation in the FSM part, as depicted in Fig. 3, which is also the original version of SNOW-V appearing on the IACR ePrint on November 29, 2018.We denote it SNOW-V σ0 to make a distinction.We will first study the bitwise linear approximations for the FSM of SNOW-V σ0 by using the linear-time algorithms in Section 3, and then present a bitwise fast correlation attack accordingly.

Bitwise Linear Approximation of the FSM of SNOW-V σ 0
To build the bitwise linear approximation of the FSM of SNOW-V σ0 , we consider to apply the 128-bit linear masks Φ, Γ and Λ to z t−1 , z t and z t+1 respectively, i.e., Let u t = R1 t−1 , v t = R2 t−1 and w t = R1 t .According to the update expressions for the registers of the FSM, when σ is just the identity, the first register R1 is updated according to R1 t+1 = (T 2 t ⊕ R3 t ) 32 R2 t .We then have , and R2 t+1 = AES R (w t ), and thus Regarding to the internal states and keystream outputs, we consider the following four associated bitwise linear approximations by introducing a 128-bit intermediate linear mask Θ, and write them as follows: where n d are noises introduced by these linear approximations.Let d .With the above relations, the bitwise linear approximations of the FSM of SNOW-V σ0 have the following form: Basically, we first want to find mask tuples (Φ, Γ, Λ) for ( 9) such that n (t) would be highly biased, and then employ them in a bitwise fast correlation attack.For the four linear approximation relations (a), (b), (c) and (d), we have the following illustrations.
2. Similarly, for the linear approximation relation (b), we let y t = SubBytes(w t ), and Λ be the mask such that Λ • y t = Λ • MixColumns(ShiftRows(y t )), then the noise n b can be expressed as 3. For the linear approximation relation (c), let c can be expressed as 4. For the linear approximation relation (d), we note To sum up, the four linear approximations can be rewritten as follows: Since the distributions of the noises n d are independent of the time instance t, we will simplify them by writing n a , n b , n c , n d respectively.Let FSM (Φ, Γ, Λ) denote the correlation of the linear approximation relation (9) corresponding to the linear mask tuple (Φ, Γ, Λ).By applying the results about correlations over composition functions in [18], we have In the next part, we will show how to compute the correlations of the above noise terms n a , n b , n c and n d respectively, and finally obtain FSM (Φ, Γ, Λ).

Computation of the Correlations of n a and n b
Note that n a and n b have the same form but different 128-bit linear mask tuples, which is (Φ; Φ, Θ ) for n a and (Γ; Γ, Λ ) for n b .Let G : F 2 128 × F 2 128 → F 2 128 be a vectorial Boolean function such that G(X (1) , X (2) ) = X (1) 32 SubBytes −1 (X (2) ), where X (1) and X (2) are both 128-bit (4-word) random variables.Let X (1) = (x 3 ) and X (2) = (x 3 ), where x k ∈ F 2 32 for all k = 0, 1, 2, 3. We define another function G as follows: where Sbox −1 (•) represents the output of four parallel operations of S −1 R .Then G belongs to the Type-III function defined in Section 3.1 with the parameters n = 32, m = 8 and d = 4.Note that the operation " 32 " in G(•) is a parallel application of four additions modulo 2 32 over each 32-bit sub-word.It is easy to verify that G(•) can be expressed as four functions G in parallel.Based on this, we let Then the correlation of n a with the mask tuple (Φ; Φ, Θ ) and the correlation of n b with the mask tuple (Γ; Γ, Λ ) can be computed according to the Piling-up lemma [17] as follows: where the matrices 1 M (aj ,aj ,bj ) are pre-computed by Algorithm 1 in Appendix C by setting all the parallel functions s j to be S −1 R .Generally, to compute Cor 3 (A; A, B) for any A, B ∈ F 2 32 , we first pre-compute 2 8 × 2 8 = 2 16 matrices M (α,α,β) by trying all the possibilities of α, β ∈ F 2 8 , which requires a time complexity of 2 16 × (2 16 × 2) = 2 33 and a memory complexity of 2 16 × (2 × 2) = 2 18 according to Algorithm 1.Using these pre-computed matrices, Cor 3 (A; A, B) can be obtained by doing 4 matrix multiplications of small size, and thus the value of (n a ) with any given (Φ; Φ, Θ )(Resp.(n b ) with any given (Γ; Γ, Λ )) can be easily derived.
For the value of Cor 3 (A; A, B) under any given masks A, B, we have the following conclusion which will help in finding good linear approximations for the FSM of SNOW-V σ0 .The proof is given in Appendix E.
For n c , we denote the involved masks Λ, Θ, Γ as . Then the correlation of n c with the mask tuple (Λ; Λ, Λ, Θ ⊕ Γ) can be computed as follows: Complexity.For any 32-bit mask A, B, we use the approach in Appendix B to compute Cor 2 (A; A, A, B).For this computation, we only need to pre-compute four 3 × 3 matrices D (α,α;α;β) for α, β ∈ F 2 , corresponding to a time complexity of 4 × (2 3 × 3) = 2 6.58 and a memory complexity of 4 × (3 × 3) = 2 5.17  which can be obtained by doing 32 matrix multiplications of small size, and thus the value of (n c ) with any given mask tuple (Λ; Λ, Λ, Θ ⊕ Γ) can be easily derived.

Computation of the Correlation of n d
Note that n where SubBytes(•) is an application of 16 AES S-boxes S R , and can also be represented as four parallel applications of the function Sbox(•), which is the Type-I function with the parameters n = 32 and m = 8.Then the correlation of n d with the mask tuple (Λ ; Φ) can be computed as which can be derived by table lookups four times, and thus the value of (n d ) with any given mask tuple (Λ ; Φ) can be directly derived.

Computation of FSM (Φ, Γ, Λ)
From the above discussion, we have (n a ) = thus the correlation of the linear approximation relation (9) corresponding to the linear mask tuple (Φ, Γ, Λ) can be computed as follows: In the following part, we will show how to search for the mask tuples (Φ, Γ, Λ) such that | FSM (Φ, Γ, Λ)| are as large as possible.

Search for Linear Masks (Φ, Γ, Λ) for FSM (Φ, Γ, Λ)
In this part, we hope to find mask tuples (Φ, Γ, Λ) such that | FSM (Φ, Γ, Λ)| computed by Equation (10) are as large as possible.Obviously, executing the search for all possible mask values is impractical.Therefore, we consider to use a search strategy attempting to find some potential linear masks.
For ease of description, we define the following two sets S id and S id for id ∈ {0, 1, 2, 3}: Note that S id ⊂ S id for a fixed value id.For Λ, let Λ be the mask such that Λ • X = Λ • MixColumns(ShiftRows(X)) for all X ∈ F 2 128 .According to the computation of Λ from Λ in Appendix D, we have the following observations: (1) If Λ ∈ S id and Λ ∈ S id , then Λ ∈ S id .
(2) If Λ ∈ S id , then Λ ∈ S id , and there are totally 255 choices of Λ id for Λ ∈ S id , which are listed in Table 3 of Appendix F.
Based on this, we propose the following search strategy.Intuitively, we hope most terms of the product in ( 10) to be 1.To achieve this, we choose the masks Φ, Γ, Λ such that Φ, Γ, Λ ∈ S id for any given id ∈ {0, 1, 2, 3}.Also, we hope Λ ∈ S id .According to the above observations, we have Λ ∈ S id and obtain 255 possible values for Λ.Besides, we can deduce according to Corollary 1 that the terms of the sum in Equation ( 10) have nonzero values if and only if Θ ∈ S id and Θ ∈ S id , thus Θ ∈ S id , and Θ have the same 255 possible choices with Λ.Under the above conditions, we derive Let id take a fixed value.Our search strategy for the mask tuples (Φ, Γ, Λ) begins by setting Φ ∈ S id , Γ ∈ S id and choosing Λ ∈ S id from Table 3.Then the search will be carried out according to the following steps.

Using the Bitwise Linear Approximations in a Fast Correlation Attack on SNOW-V σ 0
The bitwise linear approximations of the FSM of SNOW-V σ0 have the following form: We use the 4 × 4 = 16 mask tuples in Table 1 for approximations (id takes 0, 1, 2, 3).These bitwise linear approximation relations have an average correlation of α 2 −18.79 .Generally, the fast correlation attack is a key recovery attack, trying to recover the key by utilizing the correlation between the keystream and the output of the LFSR states, which is commonly modeled as a decoding problem, as that done in [13, 14, 15, 21].We need to decode a binary [N, l]-linear code through a Binary Symmetry Channel (BSC) with the error probability p = 1 2 (1 − α), where α = 2 −18.79 .The model is shown in Fig. 4.

Figure 4: Model for a bitwise fast correlation attack
Accordingly, the bitwise fast correlation attack on SNOW-V σ0 is divided into the preprocessing phase and the processing phase.In the preprocessing phase, we first collect N samples involving only the keystream words and l = 512 LFSR initial state bits, and then try to reduce the number of the involved LFSR initial state bits to l (< l) bits at the expense of a folded noise level by searching for some 4-tuples from these samples which vanish on the most significant l − l bits to generate parity check equations.After this, we enter the processing phase to recover the target l bits by using the Fast Walsh Transform (FWT) as that done in [5, 16], and further the whole LFSR initial state of SNOW-V σ0 .
For example, if l = 244, we need about 2l ln 2/(α 4 ) 2 = 2 158.71 samples with correlation α 4 to recover them, i.e., the number of 4-tuples found from N samples should be at least 2 158.71 .To ensure this, the number N should satisfy ( N 4 ) 2 −(l−l ) ≥ 2 158.71 , i.e., N should be at least 2 107.83 .We let N = 2 107.83 , an approach to find all these sums requires a time complexity of O(N 2 log N ) = O(2 222.40 ).By using these 2 158.71 new samples, we can recover 244 bits of the LFSR initial state using the FWT with a time complexity of O(2 158.71 + l 2 l ) = O(2 251.93 ) and a memory complexity of O(2 244 ).The above procedure requires a keystream of length 2 107.83

Comparison
In the design document of SNOW-V [8], the designers have devoted one section to SNOW-V σ0 (see Section 3.4 of [8]), where they construct the byte-wise linear approximations and compute the SEI of large distributions by the convolution algorithms, giving their best result with the SEI 2 −58. 7.With this byte-wise linear approximation, they give a fast correlation attack using the method in [23].The time complexity is about 2 232 , and the required length of the keystream is 2 203 .
Different from the designer's method which utilizes large-unit approximations, this paper exploits bitwise linear approximations to mount the fast correlation attacks.In the above sections, we have described how to employ the linear-time algorithms in Section 3 to efficiently compute the correlations of the noise terms n a , n b , n c and n d , and finally obtain FSM (Φ, Γ, Λ) for any given linear mask tuple (Φ, Γ, Λ) of SNOW-V σ0 .All these algorithms combine the so-called "slice-like" technique, where some specific matrices independent of the given linear mask are pre-computed, and the correlation of the bitwise linear approximation for any given mask is computed by doing some matrix multiplications using the pre-computed matrices.Our search algorithms cost only linear-time complexities for an arbitrary given linear mask tuple, while the convolution algorithms on large distribution in [8] need much more computations.Based on these algorithms, we carry out a larger range of search for bitwise masks, and successfully found many stronger approximations which are "outside" the byte-wise approximations given in [8], thus resulting in better fast correlation attacks on SNOW-V σ0 .The best bitwise linear approximations we found have the SEI (squared correlation) 2 −37.34 , while the best byte-wise linear approximation given in [8] has the SEI 2 −58.7 .That is, the new-found bitwise linear approximations have significantly larger SEI values than that of the best 8-bit linear approximation in [8].Using the stronger approximations, we present a fast correlation attack, which costs a time complexity of 2 251.93 and a memory complexity of 2 244 , less than the exhaustive key search, and requires a keystream of length around 2 103.83 , much less than that provided in [8] which is 2 203 .In this section, we will analyze the resistance of SNOW-V against linear approximation attacks when using σ as proposed.In the design document of SNOW-V [8], the authors give their research results on a variant of SNOW-V, where both of the two 32-bit adders " 32 " in the FSM are replaced by the 8-bit adders " 8 ", which we denote by SNOW-V 8, 8 .Note that we will give our analysis on SNOW-V 8, 8 in Section 6.Here, we focus on another variant of SNOW-V, where only the 32-bit adder used for updating the first register R1 is replaced by " 8 ", as depicted in Fig. 5, while everything else remains identical.We denote it SNOW-V 32, 8 .

Computation of the Correlations of n a and n b
Note that n (t) a and n (t) b are the same as that in Section 4.1, which can be rewritten as follows: 2 We simplify the noises n where (n a ) = Let R k,j = (Φ k,j , Φ k,j , Θ k,j ) for k = 0, 1, 2, 3 and j = 0, 1, 2, 3.According to Theorem 3 in Appendix C, we have Similarly, let R k,j = (Γ k,j , Γ k,j , Λ k,j ) for k = 0, 1, 2, 3 and j = 0, 1, 2, 3, we have

Computation of the Correlation of n c
For the bitwise linear approximation relation (c), let ξ t = T 2 t ⊕ AES R (v t ) and η t = AES R (u t ), then the noise n (t) c can be expressed as follows: Obviously, n c can be viewed as the noise introduced by the bitwise linear approximation of the Type-V function H defined in Section 3.1 with the mask tuple (Λ; Λ, σ(Λ), Θ ⊕ Γ).

Computation of the Correlation of n d
For the bitwise linear approximation relation (d), we denote σ(Λ) the mask such that σ(Λ) and thus the noise n (t) d can be expressed as where SubBytes(•) is an application of 16 AES S-boxes S R .We use the notation Λ to denote σ(Λ) , then the correlation of n d can be computed as which can be obtained by looking up the LAT pre-computed in Section 4.2.3 16 times.

Search for Linear Masks (Φ, Γ, Λ)
For a given mask tuple (Φ, Γ, Λ), the correlation of the linear approximation of the FSM of SNOW-V 32 , 8 is We will use the notation S id defined in Section 4.3 to illustrate our search strategy, where for all k = id}.In our attempt to search for (Φ, Γ, Λ) such that the linear approximation of the FSM of SNOW-V 32 , 8 would be highly biased, we observed that when both Φ ∈ S id and Γ ∈ S id are satisfied, | FSM (Φ, Γ, Λ)| is more likely to have high value.According to Corollary 1, we must have Θ ∈ S id (Resp.Λ ∈ S id ) to guarantee (n a ) = 0 (Resp.(n b ) = 0).Besides, considering the term (n d), since Φ ∈ S id , we get that (n d) = 0 only if σ(Λ) ∈ S id .Thus, the constraints for Λ is both Λ ∈ S id and σ(Λ) ∈ S id are satisfied, from which we derive that σ(Λ) = Λ, and for each fixed value of ∈ {0, 1, 2, 3}, there are 255 choices for Λ, which are defined as follows.

Table 2:
The best linear masks (Φ, Γ, Λ) for the bitwise linear approximation of the FSM of SNOW-V 32 , 8 08050f0c050f0c08 0000000000000000 0000000000000000 −91.603 0x0f0c08050c08050f 0x02b3240700000000 0x0500050000000000 08050f0c050f0c08 0000000000000000 0000000000000000 −91.606 Remark.For the mask tuple (Φ, Γ, Λ) in the first row of Table 2 with id = 0, we computed by experiments the values of (n a ) (n c) for all Θ such that Θ ∈ S id and thus obtained the accurate value of Θ ∈S id (n a ) (n c).Our results show that (n a ) (n c) = 0 only when Θ takes the value of σ(Λ), i.e., Θ = σ(Λ).Thus the value of (n a ) (n c) with Θ = σ(Λ) is actually equal to the value of Θ ∈S id (n a ) (n c)(= Θ (n a ) (n c)), which is an example to give an illustration of the above observation.

A Fast Correlation Attack on SNOW-V 32 , 8
The bitwise linear approximations of the FSM of SNOW-V 32 , 8 have the following form: We use those 864 mask tuples (Φ, Γ, Λ) such that | FSM (Φ, Γ, Λ)| ≥ 2 −92 for approximations.The corresponding bitwise linear approximation relations have the correlation We first collect N samples involving only the keystream words and the LFSR initial state bits of length l = 512, and then try to reduce the number of the involved LFSR initial state bits to l (< l) bits by searching for some pairs from the samples which vanish on the most significant l −l bits, at the expense of the increased noise level with the correlation α 2 .There are about M N (N − 1)2 −(l−l +1) such pairs, corresponding to M approximation relations with correlation α 2 involving only l bits of the LFSR initial state, which can be found by the sort-and-merge procedure with the time/memory complexity O(N ).To recover the value of the target l bits, we still use the FWT to speed up the evaluation of the M linear approximation relations, which needs a time complexity O(M + l 2 l ) and a memory complexity O(2 l ).Set M = 2l ln 2/(α 2 ) 2 , the parameter N is determined to be N ≈ √ M 2 l−l +1 , and the required number of keystream outputs is D = N/864.Complexity Analysis.For SNOW-V 32 , 8 , we follow the above procedure with the parameters l = 512, l = 363.In this case, we need to prepare M = 2l ln 2/(α 2 ) 2 = 2 376.98 approximation relations with correlation α 2 involving the first 363 bits of the LFSR initial state.The required number of samples is N = √ M 2 l−l +1 = 2 263.49and we need to know D = N/864 = 2 253.73 keystream outputs.The required time/memory complexity for preparing M approximation relations is 2 263.49 .The FWT is utilized to determine the first 363 bits of the LFSR initial state, which needs a time complexity 2 377.01 and a memory complexity 2 363 .Once the first 363 bits are recovered, the other bits and the FSM state can be recovered by using a similar method and a small-scale exhaustive search with a much lower complexity.
6 Analysis of SNOW-V 8 , 8 In this section, we give a brief study on the bitwise linear approximation of the FSM of SNOW-V 8 , 8 , of which the byte-wise linear approximation has been studied in the design document of SNOW-V [8].With this simplification all operations are byte-oriented.the involved noise terms n 1 , n 2 , n 3 and n 4 by doing some matrix multiplications using the pre-computed matrices in Section 3, which cost only linear-time complexities and thus allows for a wide range of search for bitwise masks.In our experiment, we have found a number of stronger bitwise approximations than the best byte-wise one in [8], among which the best bitwise one has the SEI 2 −174. 14.Thus we have increased the bias of the linear approximation from 2 −214.80 to 2 −174.14 , which is a big improvement.

Conclusion
In this paper, we present a number of stronger linear approximations for the FSM of several variants of SNOW-V, i.e., SNOW-V σ0 , SNOW-V 8, 8 and SNOW-V 32 , 8 , and further propose attacks accordingly, resulting in the bitwise fast correlation attacks faster than those in the design document of SNOW-V [8].We first propose and summarize some efficient algorithms using the slice-like techniques to compute the linear approximations of certain types of composition functions composed of basic operations like , ⊕, Permutation and S-box, which are the underlying functions arising in the linear approximations of SNOWlike stream ciphers.Based on this, we find some bitwise linear approximations for the FSM of SNOW-V σ0 with the SEI around 2 −37.34 and mount a bitwise fast correlation attack with the time complexity 2 251.93 and memory complexity 2 244 , given 2 103.83 keystream outputs, which improves greatly the results in the design document.Besides, we find our best bitwise linear approximations for the FSM of SNOW-V 8, 8 with the SEI 2 −174.14 , while the best byte-wise linear approximation in [8] has the SEI 2 −214.80 .Further, we study a closer variant of SNOW-V, i.e., SNOW-V 32, 8 , we derive many mask tuples for the FSM of SNOW-V 32 , 8 , yielding linear approximations with the SEI larger than 2 −184 .Using these linear approximations, we mount a fast correlation attack with the time complexity 2 377.01 and a memory complexity 2 363 , given 2 253.73 keystream outputs.Although neither of our attacks threatens the security of SNOW-V, we provide new lights on the structure of SNOW-like stream ciphers and also the bitwise linear approximation attacks.We think the research in this paper is meaningful for our future work to study the bitwise linear approximation of SNOW-V and mount attacks accordingly.
Further discussion.We first make a brief discussion on how likely similar attacks would be on full SNOW-V.For full SNOW-V, two 32-bit adders " 32 " are used in the FSM part.One is used to generate the 128-bit keystream as z t = (T 1 t 32 R1 t ) ⊕ R2 t , and the other is used to update the first register R1 as R1 t+1 = σ((T 2 t ⊕ R3 t ) 32 R2 t ).In the course of approximating the FSM, we can derive a new type of function G : F 2 128 × F 2 128 × F 2 128 → F 2 128 such that G(X (1) , X (2) , X (3) ) = X (1) 32 σ(X (2) 32 X (3) ).Bitwise linear approximations for the FSM of SNOW-V can be constructed if the bitwise linear approximation of G could be efficiently computed, and thus similar attacks would be mounted.Actually, we have been doing research on full SNOW-V and achieved some initial results.It is one of our future work to study deeply the bitwise linear approximations of SNOW-V.Beside, it is well known that the SEI of a bitwise linear approximation is always smaller than or equal to the SEI of a multidimensional linear approximation that covers the masks of the bitwise approximations.We will also study the large-unit linear approximations of SNOW-V or SNOW-V variants in the future.
• In the processing phase, the correlation of the linear approximation of Sbox(•) for each given mask tuple (Γ (0) , Γ (1) ) can be derived by table lookups d times indexed by (Γ j ) in the j-th table, respectively.This is a linear-time procedure.

Method and Complexity.
In [19], the authors have proposed a linear-time algorithm to compute the correlation of the bitwise linear approximation of F for any given mask tuple, we describe it in the following theorem.

2
, let D R be the ρ × ρ matrix with the (oc, ic)-element for ic, oc ∈ {0, ..., ρ − 1} computed as Let l ρ be the row vector of length ρ with all elements equal to 1, and let e 0 be the column vector of length ρ with a single 1 in 0-th row and zero otherwise.For any given mask tuple (Γ (0) , Γ (1) , ..., Γ (ρ) ) of the ρ-input addition modulo 2 n , write Γ (i) in bits as According to Theorem 2, the procedure for computing the correlation of the bitwise linear approximation of F for any given mask tuple can be divided into the following two phases: • In the preprocessing phase, 2 ρ+1 matrices of size ρ × ρ should be pre-computed and stored.For each given R ∈ F ρ+1

2
, the matrix D R can be constructed with a time complexity of O(ρ2 ρ ) and a memory complexity of O(ρ 2 ), thus it requires a total time complexity of O(ρ2 2ρ+1 ) and a memory complexity of O(ρ 2 2 ρ+1 ) to pre-compute D R for all the possibilities of R.
• In the processing phase, the correlation of the linear approximation of F for each given mask tuple (Γ (0) , Γ (1) , ..., Γ (ρ) ) can be obtained by doing n multiplications of a ρ × ρ matrix and a column vector, and n additional additions, which is a linear-time algorithm for a fixed ρ.

Method and Complexity.
In [11], a linear-time algorithm is proposed to compute the correlation of the linear approximation of G under any given mask tuple, and then used to mount attacks on SNOW 2.0 and SNOW 3G.At a very high level, the idea is to divide the n-bit values into d values of m-bit according to the specific structure of the function Sbox(•), and then pre-compute and store some useful matrices, and finally compute the correlation by doing some matrix multiplications using these pre-computed matrices.We now describe this method in short.

Figure 1 :
Figure 1: The keystream generation phase of the SNOW-V stream cipher

Figure 2 :
Figure 2: The AES encryption round function AES R with the round key constant being 0

3 ; 13 :
end for 14: end for Output: all the matrices c v for all 16 possible values of v.

Figure 3 :
Figure 3: The FSM part of SNOW-V σ0

b
are the noises same as that in Section 4.1, and n introduced noises by new linear approximation relations (c) and (d) respectively.Now let n

d
by na, n b , nc and n d respectively.

Figure 6 :
Figure 6: The FSM part of SNOW-V 8, 8 Θ from the given mask Θ such that Θ • x = Θ • MixColumns(ShiftRows(x))In the FSM of SNOW-V, the full AES round function (denoted by AES R ) is used to update the 128-bit registers.Given a 128-bit output mask Θ of AES R , we let ∆ be the mask computed from Θ by combining the MixColumns of the AES round function such that ∆ • y = Θ • MixColumns(y), for all y ∈ F 2 128 , and let Θ be the mask computed from ∆ by combining the ShiftRows of the AES round function such thatΘ • x = ∆ • ShiftRows(x), for all x ∈ F 2 128 .We then haveΘ • x = Θ • MixColumns(ShiftRows(x)), for all x ∈ F 2 128 .Before we describe how to compute the masks ∆ and Θ , let us define a linear transformation lin : F 2 32 → F 2 32 , where Λ = lin(Λ) represents the linear mask computed from Λ by combining the MixColumn matrix (denoted by M ) of the AES round function, i.e., Λ • x = Λ • M x for all x ∈ F 2 32 .